DCC Meeting Notes – September 13th, 2017
IT Auditing at Brown
IT Audit at Brown – Presentation
Presentation by: Beltus Ikechukwu – IT Auditor
Agenda
- Objective
-
- Risk Management
- Solution oriented approach – the three lines of defense
- 1st line – Management Controls, Internal Control Measures (Example: Endpoint engineering/DCC’s)
- 2nd line – Financial control, security, risk management, quality, inspection, compliance (Example: Mark Dieterich)
- 3rd line – Internal Audit
- Solution oriented approach – the three lines of defense
- Internal audit at brown
- Independent, objective(does it make sense), assurance and consultative activity designed to add value to the organization.
- Mission at Brown – Help the Corporation protect University resources and enhance the achievement of enterprise-wide strategies by evaluating and monitoring risks, processes and policies significant to the University’s mission.
- Vision – Excel as value-added service that is committed to your goals.
- Authority – Has free, full and unrestricted access as necessary to all and any University information, activities, records, property, etc
- Process- Risk based approach, Project Planning and Risk Assessment, Test Work, Reporting-Draft and Final, Follow-up
- It audit at brown
- Focused on risks that impact
- Organizational Units – Centralized and Decentralized IT Processes,
- Infrastructure – Networking, Compute, Storage.
- A simple control Model (SANS 20) -See slide show page 15
- Focused on risks that impact
- Risk Management
- Potential Risk – Insider threat, Point of Sale intrusions, Cyber Espionage/phishing/ransom ware
- FAQ
- How is my department selected for an Audit?
- Risk assessment or your request
- How long does an audit typically take?
- Depends on size, complexity, and strength of internal controls
- How much of my time will the audit require?
- We are considerate
- How can I prepare for an audit?
- Have key documents ready.
- How confidential will the information I provide to you and my audit report be?
- All info received and managed by the Office of Internal Audit Services is held at the appropriate level of confidentiality.
- How is my department selected for an Audit?
- Common Findings
- Lack of formalized policies and procedures
- Inappropriate access management
- Segregation of duties
- Mis-configurations
- Change management
- Data Security
Questions
- Does Brown already have computer policies in place? Where are they?
- Answer – Yes they can be found here, https://it.brown.edu/computing-policies
- Most of us have our first encounter with IT Audit due to an incident, what is the threshold for when an IT audit will take place
- Answer – Auditing can take place during an incident to bring in an outside perspective like another set of eyes. It can be used as a time to help solve the issue while knowing the risk has been lowered or removed. There is no specific threshold.
Chris Grossi – Announcements
- Mary Salvas has announced retirement
- Licensing issue’s will go through Chris Grossi
- Remotes Apps have been rolled out to everyone
- Remoteapp.brown.edu
- PPrint upgrades were overall successful
- Over 700 queue’s
- Looking for interest in Adobe Stock software
- The software provides a library of stock images.
- Keyserver – Users should be seeing messages notifying them to upgrade to newer non-keyed software.
- Google Drive app – being deprecated
Link to audio : http://www.brown.edu/cis/support/dcc/audio/audioarchive/DCC%20mtg%209-13-17.mp3
